Capture and inspect network traffic instantly from the shell using tshark. 26.12.2025 | reading time: 2 min Need a fast proof-of-life for network troubleshooting? tshark is the command-line Wireshark: capture on an interface, apply BPF capture filters, write a pcap, or print packets with display filters — all from the shell for rapid diagnosis. Capture a quick HTTP snapshot Do it and see results: run a focused capture for a few packets and save them for inspection: ```tshark -i eth0 -f "tcp port 80" -c 50 -w http.pcap -s 0 -n``` then inspect saved traffic with a Wireshark-style display filter: ```tshark -r http.pcap -Y "http.request" -V``` Sample live line you might see: ```1 0.000000 192.168.1.10 -> 93.184.216.34 TCP 74 GET /index.html``` Tune captures for speed Speed matters: capture only what you need with `-f` (BPF) and stop after N packets with `-c`; avoid name resolution with `-n`, capture full packets with `-s 0`, write raw pcaps with `-w` and later filter with `-Y`, or extract fields using `-T fields -e` for scripting output; remember that live capture requires root or capture-capable dumpcap, so prefer running dumpcap with capabilities in production. When to reach for other tools Use tshark for rapid, scriptable captures and quick inspection; switch to tcpdump for minimal installs and tiny output, to Wireshark GUI for deep protocol analysis and visual follow-streams, or to dumpcap when you need unprivileged, high-performance packet collection; combine them: capture with dumpcap/tshark, analyze with Wireshark. Next steps Start practicing captures on a lab host, build small scripts to automate frequent filters, and expand your Linux skills: consider exam paths like CompTIA Linux+ or LPIC-1 and intensive prep at bitsandbytes.academy to turn these practical abilities into certified competence. Join Bits & Bytes Academy First class LINUX exam preparation. network troubleshooting utilities security scripting
